CVE-2026-50226
Analyzed Analyzed - Analysis Complete

AES-128-CBC Key Forgery in AcerConnect OTA

Vulnerability report for CVE-2026-50226, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-04

Last updated on: 2026-06-08

Assigner: 8fc372e3-d9c5-46e4-9410-38469745c639

Description

Fixed AES-128-CBC keys inside the AcerConnect OTA application let attackers forge authorization credentials for arbitrary IMEI numbers. This allows unauthorized actors to list catalog items and extract protected binaries from pre-signed cloud links.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-04
Last Modified
2026-06-08
Generated
2026-07-14
AI Q&A
2026-06-04
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
acer connect_m6e_5g_firmware to m6e_ai_1.00.000019 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves fixed AES-128-CBC encryption keys embedded within the AcerConnect OTA application. Because these keys are fixed and predictable, attackers can forge authorization credentials for any IMEI number. This unauthorized access enables attackers to list catalog items and extract protected binary files from pre-signed cloud links.

Impact Analysis

The vulnerability allows unauthorized actors to gain access to protected content by forging authorization credentials. This can lead to exposure of sensitive binaries and catalog information that should be restricted, potentially compromising device security and intellectual property.

Compliance Impact

The vulnerability allows unauthorized actors to forge authorization credentials and extract protected binaries, potentially exposing sensitive data. This exposure could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Specifically, the ability to list catalog items and extract protected binaries from pre-signed cloud links indicates a failure in access control and data protection mechanisms, which are critical requirements under these standards.

Therefore, until the vulnerability is patched, affected systems may be at risk of violating compliance obligations related to confidentiality, integrity, and security of data.

Mitigation Strategies

Users are advised to secure their devices with strong administrative passwords and restrict IPv6 traffic where possible.

Apply the forthcoming firmware patches via the device management interface as soon as they are released.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50226. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart